When the first cases emerged, they were treated as isolated. But now, with more than 1 million Pix keys exposed since 2021, according to data recently released by the Central Bank, it is more accurate to call them common. The most recent was the case of Cashway Technology, which despite involving only 50 keys, made Brazil discuss security in the instant payment system again.
This is because in the first months of this year, new leakage incidents were recorded, raising concerns about the protection of users’ personal data. Before Cashway, the issue had occurred at QI Sociedade de Crédito Direto and exposed 25,349 Pix keys of customers. In addition to these, the case of XP (XPBR31) had a significant impact, informing customers at the end of April that an external supplier’s hosted database of the financial institution experienced an ‘unauthorized access.’ Thus, users became victims of information leakage, such as name, phone, email, date of birth, zip code, marital status, position, and nationality, as well as which financial products were contracted, XP account number, and previous month’s balance.
According to Thiago Guedes, CEO of DeServ, a company specializing in information security and data privacy, for companies responsible for protecting Pix keys to avoid isolated failures in systems, it is essential to observe the entire development process of applications and systems from the programming and testing phase to when they go into production. This monitoring is required precisely to prevent potential issues and failures before they even occur.
“In this way, all companies that handle personal data need to develop continuous improvement processes covering both the legal and information security aspects. Throughout all data processing stages, it is essential to seek immediate alignment with the LGPD. The legislation itself requires an impact report on data protection, and the company needs to structure itself so that it has these processes well underway to manage possible risks,” she states.
When it comes to Pix key holders, it is essential to be aware that it is not always possible to know when and if one has been a victim of a leak. In this sense, the ideal is always to take extra security measures. “Although the leaked data does not include passwords or allow financial transactions, any exposure of personal information can facilitate scam attempts, especially through social engineering,” he warns.
Guedes gives some tips on how to protect yourself.
Monitor your Pix keys: frequently monitor the use of your Pix keys through your bank’s application. If you notice anything strange or unknown, contact the financial institution immediately.
Activate alerts and notifications: keep Pix transaction notifications enabled on your mobile phone to quickly identify any unauthorized movements.
Be cautious with suspicious messages: scammers often use leaked data to send fake messages (phishing). Never click on links received via SMS, WhatsApp, or email, even if they appear legitimate.
Update your information: If you suspect that your key has been compromised, you can request the portability or deletion of the Pix key from your bank.
Use multiple authentication factors: Whenever possible, enable two-step verification in financial apps and use strong, unique passwords.
Check if your data has leaked: The Central Bank provides official channels to inform users about any leaks. Stay tuned for announcements directly in your bank’s app or on the BC website.
According to the Central Bank, leaked data includes information such as name, CPF, relationship bank, agency number, and Pix key creation date. No sensitive data, such as passwords, balances, or statements, was compromised. Nevertheless, the recommendation is to be extra vigilant.
“Pix is a secure system, but no technology is immune to operational failures. Therefore, user care is an essential part of protection,” concludes the expert.
